Minot
asked on
Cisco ASA Failover Issue
Hi, I have an ASA 5510 configured for ISP failover on the backup interface via an IP SLA. The failover kicks in when the primary connection goes down however, once in the the failover state we cannot surf the Internet. We are able to ping the web properly. This leads me to look at the ASA config as the probable issue. Config is attached.
names
dns-guard
!
interface Ethernet0/0
description Connected to Comcast
nameif outside
security-level 0
ip address 75.144.138.43 255.255.255.248
!
interface Ethernet0/1
description Connected to Internal LAN
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
description Connected to MPLS Internet
nameif backup
security-level 0
ip address 65.115.13.234 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.com
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq imap
4
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq imap
4
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq http
s
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq http
s
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq www
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq www
access-list outside_access_in extended permit tcp any host 75.144.138.43 eq smtp
access-list outside_access_in extended permit tcp any host 65.115.13.234 eq smtp
access-list outside_access_in extended permit tcp any host 75.144.138.42 eq 4445
access-list outside_access_in extended permit udp any host 75.144.138.42 eq 2200
5
access-list outside_access_in extended permit tcp any host 75.144.138.42 eq 2201
1
access-list outside_access_in extended permit tcp any host 75.144.138.42 eq www
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 172.18.1.0 255.2
55.255.0
access-list Outbound extended permit ip any any
pager lines 24
logging enable
logging trap warnings
logging history warnings
logging asdm informational
logging facility 23
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 63.229.110.116 255.255.255.252
nat (inside) 1 63.229.110.208 255.255.255.252
nat (inside) 1 63.229.110.228 255.255.255.252
nat (inside) 1 63.229.110.232 255.255.255.252
nat (inside) 1 63.237.187.20 255.255.255.252
nat (inside) 1 63.237.239.24 255.255.255.252
nat (inside) 1 172.25.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
static (inside,outside) tcp interface www 192.168.1.22 www netmask 255.255.255.2
55
static (inside,backup) tcp interface www 192.168.1.22 www netmask 255.255.255.25
5
static (inside,outside) tcp interface https 192.168.1.22 https netmask 255.255.2
55.255
static (inside,backup) tcp interface https 192.168.1.22 https netmask 255.255.25
5.255
static (inside,outside) tcp interface imap4 192.168.1.22 imap4 netmask 255.255.2
55.255
static (inside,backup) tcp interface imap4 192.168.1.22 imap4 netmask 255.255.25
5.255
static (inside,outside) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255
.255
static (inside,backup) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255.
255
static (inside,outside) udp 75.144.138.42 22005 192.168.1.15 22005 netmask 255.2
55.255.255
static (inside,outside) tcp 75.144.138.42 22011 192.168.1.15 22011 netmask 255.2
55.255.255
static (inside,outside) tcp 75.144.138.42 www 192.168.1.15 www netmask 255.255.2
55.255
access-group outside_access_in in interface outside
access-group outside_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 75.144.138.46 1 track 123
route backup 0.0.0.0 0.0.0.0 65.115.13.233 200
route outside 4.2.2.6 255.255.255.255 75.144.138.46 1
route inside 63.149.206.208 255.255.255.252 192.168.1.1 1
route inside 63.229.110.116 255.255.255.252 192.168.1.1 1
route inside 63.229.110.208 255.255.255.252 192.168.1.1 1
route inside 63.229.110.228 255.255.255.252 192.168.1.1 1
route inside 63.229.110.232 255.255.255.252 192.168.1.1 1
route inside 63.237.187.20 255.255.255.252 192.168.1.1 1
route inside 63.237.239.24 255.255.255.252 192.168.1.1 1
route inside 172.25.1.0 255.255.255.0 192.168.1.3 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside 192.168.7.0 255.255.255.0 192.168.1.1 1
route inside 192.168.9.0 255.255.255.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.6 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
track 123 rtr 1 reachability
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 60
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
try changing timers
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.6 interface outside
num-packets 3
frequency 5
or try using different ip address for monitoring sometimes it solves the issue
have you tested backup link?
Can you please put the "sh route" output
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.6 interface outside
num-packets 3
frequency 5
or try using different ip address for monitoring sometimes it solves the issue
have you tested backup link?
Can you please put the "sh route" output
Can you please provide us following outputs
show running-config sla monitor
show sla monitor configuration 123
show sla monitor operational-state 123
show sla monitor operational-state
show running-config sla monitor
show sla monitor configuration 123
show sla monitor operational-state 123
show sla monitor operational-state
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Odd that this was your solution - you are missing a NAT statement on the backup interface.
you need to use track parameter in router cmd like this
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
--- Enter this command in order to track a static route.
!--- This is the static route to be installed in the routing
!--- table while the tracked object is reachable. The value after
!--- the keyword "track" is a tracking ID you specify.
it means ASA will track this route if u r connection is up or not when this connection will go down it will
shift to backup link
for monitoring link u have to configure link monitoring on ASA
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
it will Configure a new monitoring process with the ID 123. Specify the
!--- monitoring protocol and the target network object whose availability the tracking
!--- process monitors. Specify the number of packets to be sent with each poll.
!--- Specify the rate at which the monitor process repeats (in seconds).
schedule of monitoring
sla monitor schedule 123 life forever start-time now
!--- Schedule the monitoring process. In this case the lifetime
!--- of the process is specified to be forever. The process is scheduled to begin
!--- at the time this command is entered. As configured, this command allows the
!--- monitoring configuration specified above to determine how often the testing
!--- occurs. However, you can schedule this monitoring process to begin in the
!--- future and to only occur at specified times.
track 1 rtr 123 reachability
!--- Associate a tracked static route with the SLA monitoring process.
!--- The track ID corresponds to the track ID given to the static route to monitor:
!--- route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1
!--- "rtr" = Response Time Reporter entry. 123 is the ID of the SLA process
!--- defined above.
for more imformation there is cisco doc is availabele
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml